|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720"
m (→Userland) |
m |
||
| Line 16: | Line 16: | ||
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3 |
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3 |
||
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0 |
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0 |
||
| + | * [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1 |
||
=== [[Userland]] === |
=== [[Userland]] === |
||
Revision as of 22:17, 10 January 2011
This is the Application Processor used on the iPod Touch 2G.
Contents
Exploits
iBoot
Note: iBoot on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
- ARM7 Go - Works on iOS 2.1.1
- iBoot Environment Variable Overflow - Works up to iOS 3.1 beta 3
- usb_control_msg(0x21, 2) Exploit - Works up to iOS 3.1.2
Bootrom
- 0x24000 Segment Overflow - only in iBoot-240.4 (old bootrom)
- usb_control_msg(0xA1, 1) Exploit - in iBoot-240.4 and iBoot-240.5.1
Kernel
- BPF STX Kernel Write Exploit - Works up to iOS 3.1.3
- IOSurface Kernel Exploit - Works up to iOS 4.0
- Packet Filter Kernel Exploit - Works up to iOS 4.1
Userland
- MobileBackup Copy Exploit - Works up to iOS 3.1.3
- Malformed CFF Vulnerability - Works up to iOS 4.0
Boot Chain
VROM->LLB->iBoot->Kernel->System Software
It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.
